A Risk Register is the Siren Song of Risk Management

Before we go any further, let me state unequivocally that filling in boxes in a risk register chart is not Risk Management.

But on numerous occasions, RISKVIEWS has come across risk officers who have been concentrating on managing a Risk Register for multiple years.  That is why the Risk Register is the siren song of Risk Management.  No not the siren that makes a loud noise for the Fire Department.  The Sirens of Homer’s Odyssey.

The siren’s song attracted sailors who as they got closer to listen crashed upon the rocks and died.

So with risk managers and risk registers.  Risk registers provide two convenient things: plenty of tasks and evidence of accomplishment.  However the tasks are ultimately lower value and the accomplishment is usually only internal to the Risk Register.  The risk manager who is enthralled by the song of the risk register gets further and further into the world of the risk register and loses touch with the world of the company.  They try to find ways to entice others into the world of the risk register.

But real risk management requires only a simple list of risks, risk owners and risk mitigation activities.  This should never be maintained on spreadsheets in formats that can only be printed with 8 point type or never seen in total because there are just too many columns of important details.  Nor should the list of risks require a special purchased system that allows only registered users to view or enter information.

Managing the process of

Adding cash or profits now while adding risk

-or-

reducing cash or profits now while decreasing risk

is real risk management.  

Because the real job of risk management is not the manufacture of lists that are elevated in status by the name register.  Real risk management involves making difficult decisions and taking actions based upon those decisions.  Those decisions always involve a trade-off between cash or profits now and risk later.  Adding cash or profits now while adding risk later or reducing cash or profits now while decreasing risk later.  That is real risk management.

Learnings from the Superstorm

From the FSOC 2013 Annual Report with minor paraphrasing…

• Planning and testing: It is important that your company and all of your important counterparties, vendors, and sub contractees, fully understand the functionality of contingency systems, and that key operations and business personnel communicate efficiently to assure enterprise-wide clarity. Expanded testing exercises would enhance assurance of failover reliability. Such testing should involve all parties inside and outside your firm that you depend upon to continue functioning, and should also involve providers of essential services such as power, water, and telecommunications.

• Incident management: Protocols for assuring a timely decision on whether and when to close or open the company would benefit from review and streamlining by the responsible parties. Likewise, protocols for assuring timely decisions within the firm on whether and when to leverage back-up sites would benefit from continued regular testing. Furthermore, operational interdependencies need to be fully incorporated in the decision-making process.

• Personnel: The resilience of critical components of the company requires geographic dispersal of both electronic systems and personnel sufficient to enable an organization to operate despite the occurrence of a wide-scale disruption affecting the metropolitan or geographic area of the organization’s primary operations, including communities economically integrated with, adjacent to, or within normal commuting distance of the primary operations area. Organizations, including major firms, need to continuously and rigorously analyze their routine positioning and emergency repositioning of key management and staff. This is an ongoing requirement as technology, market structure, and institutions evolve rapidly. Developed business continuity plans should be implemented, and key staff should be sent to disaster recovery sites when there is advance notice of events.

• Dependencies: Cross-industry interdependencies require constant review, reassessment, and improvement by organizations to mitigate the impact of energy, power, transport, and communications failures during severe incidents, and to help ensure reliable redundancy.

FROM THE ERM SYMPOSIUM IN CHICAGO

Post to Financial Training

• ERM Symposium Take aways

Posts to WillisWire:

• Has Risk Management become a Spectator Sport
• Actuarial Professional Risk Management
• ERM For Financial Intermediaries

Tweets:

1. Neil Cantle ‏@NJCantle 24 Apr

   Former FDIC Chairman Sheila Bair speaking at #ermsymposium warns #SolvencyII against internal models as they encouraged banks to take risk
2. Max Rudolph ‏@maxrudolph 24 Apr

   What happened to last year’s discussion of a country CRO at the #ermsymposium?
3. Max Rudolph ‏@maxrudolph 24 Apr

   Speaker from Fed at #ermsymposium says CTE no good since you don’t know distribution. How was the product priced? Not with stress tests!

   Retweeted by SocietyofActuaries

4. Neil Cantle ‏@NJCantle 23 Apr

   Seems that insurance industry may need to save up more cash to cover Nat Cat if forecasts on climate change are right! #ermsymposium
5. Max Rudolph ‏@maxrudolph 23 Apr

   Systemic risk decreases with transparency. #ermsymposium
6. Neil Cantle ‏@NJCantle 23 Apr

   So, we trust national security to causal models because data does not work. But we trust financial systems to statistics. #ermsymposium
7. Neil Cantle ‏@NJCantle 23 Apr

   Just hearing all the great things about Bayesian models…expert judgement, ease of communication to C-suite #ermsymposium #Bayesrules

   1. Dave Ingram ‏@dingramerm 23 Apr Must look at risk measures in the context of your business model. C Lawrence #ermsymposium
   2. Dave Ingram ‏@dingramerm 23 Apr

      Need to invest in the future of risk profession. Mark Abbott #ermsymposium
   3. K Andemichael ‏@that_art_guy 21 Mar

      I just heard the coolest story from Hall of Achievement Inductee Gary Peterson #ERMSymposium pic.twitter.com/1un0ZwJl1D
   4. Milliman, Inc. ‏@millimaninsight 20 Apr 12

      Neil Cantle: Complex adaptive systems are more than the sum of their parts. #ERMSymposium http://www.tout.com/m/nphp8d 
   5. Risk Institute ‏@riskinstitute 20 Apr 12

      What is the biggest misconception about enterprise risk management? http://bit.ly/JUbWb9  #ERMSymposium #ERM #risk

      Retweeted by Milliman, Inc.

   6. Risk Institute ‏@riskinstitute 18 Apr 12

      What role does economic capital modeling play in your organization? http://bit.ly/ISWFM7  #ERMSymposium #ERM

      Retweeted by Neil Cantle and 1 other

   7. Max Rudolph ‏@maxrudolph 18 Apr 12

      Business Insurance article focuses on the Emerging Risks Survey and includes some quotes from me. #ERMSymposium http://lnkd.in/M2P3xv 
   8. Max Rudolph ‏@maxrudolph 18 Apr 12

      CFO magazine article quoting me and talking about the Emerging Risks Survey! #ERMSymposium http://lnkd.in/-g-Dar 

1. CRO needs to have a 360 degree view of risk. #ermsymposium
   from Chicago, IL Dave Ingram ‏@dingramerm 24 Apr
2. New risk: longevity risk transfer products take a risk that was regulated into non-regulated areas. S Wason #ermsymposium from Chicago, IL Dave Ingram ‏@dingramerm 24 Apr
3. Companies do not always believe in their own mortality which undermines any risk mgt culture. #ermsymposium
   from Chicago, IL Dave Ingram ‏@dingramerm 24 Apr
4. Interconnectedness is THE issue for financial regulation going forward. #ermsymposium from Chicago, IL Dave Ingram ‏@dingramerm 24 Apr
5. CEO needs to be very hands on with risk. Deniability is not an option. S Bair #ermsymposium from Chicago, IL Dave Ingram ‏@dingramerm 24 Apr
6. Predictive analytics in US healthcare #ermsymposium from Illinois, US Dave Ingram ‏@dingramerm 24 Apr
7. Canadians using ERM to improve financial management of health firms. #ermsymposium Dave Ingram ‏@dingramerm 23 Apr
8. Professional Standards for Actuarial Risk Managers effective May 1, 2013 http://lnkd.in/mYwr6d Dave Ingram ‏@dingramerm 23 Apr
9. Too many think the risk equations are a closed form solution for the future when they are really about the past. M McCarthy #ermsymposium Dave Ingram ‏@dingramerm 23 Apr
10. When you crossed a limit you HAD to take an ACTION. B Mark #ermsymposium from Chicago, IL Dave Ingram ‏@dingramerm 23 Apr
11. Key goal of regulators is now financial stability. Zero tolerance for “fat tailed” failure. C Lawrence #ermsymposium
    from Chicago, IL Dave Ingram ‏@dingramerm 23 Apr
12. Bank returns jumped from 7% to 20% in 1970s & believed that risk was under control. C Lawrence #ermsymposium Dave Ingram ‏@dingramerm 23 Apr
13. Biggest risks are when we choose not know about potential problems that we did know about. Turning off fire alarms. W Fisher #ermsymposium Dave Ingram ‏@dingramerm 23 Apr
14. ERM can find offsetting risks and notionally create capital and opportunity. This gets enthusiastic buy in from mgt. M Stein #ermsymposium Dave Ingram ‏@dingramerm 23 Apr
15. The ERM program needs to show success on the opportunity side ot risk. J Kollar #ermsymposium Dave Ingram ‏@dingramerm 23 Apr
16. Accounting can cloud risk issues. Challenge to reconcile different statement. M Stein #ermsymposium from Chicago, IL Dave Ingram ‏@dingramerm 23 Apr
17. Disconnect between economics and accounting a challenge for ERM. Makes it harder to get buy in for ERM C Gilbert #ermsymposium Dave Ingram ‏@dingramerm 23 Apr
18. CRO Council papers Model Validation & Emerging Risks M Stein #ermsymposium Dave Ingram ‏@dingramerm 23 Apr
19. Key for CRO to be able to create a coherent summary of risk information for board M Stein #ermsymposium Dave Ingram ‏@dingramerm 23 Apr
20. Get board involved asking the risk questions. This create engagement in the organization to answer those questions W Fisher #ermsymposium Dave Ingram ‏@dingramerm 23 Apr
21. Wayne Fisher addressing Risk Profile at CRO panel #ermsymposium

But even with all those tweets, #ermsymposium did not make it to the top list of trending categories

Provisioning – Packing for your trip into the future

There are two levels of provisioning for an insurer.  Reserves and Risk Capital.  The two are intimately related.  In fact, in some cases, insurers will spend more time and care in determining the correct number for the sum of the two, called Total Asset Requirement (TAR) by some.

Insurers need an realistic picture of future obligations long before the future is completely clear. This is a key part of the feedback mechanism.  The results of the first year of business is the most important indication of business success for non-life insurance.  That view of results depends largely upon the integrity of the reserve value.  This feedback information effects performance evaluation, pricing for the next year, risk analysis and capital adequacy analysis and capital allocation.

The other part of provisioning is risk capital.  Insurers also need to hold capital for less likely swings in potential losses.  This risk capital is the buffer that provides for the payment of policyholder claims in a very high proportion of imagined circumstances.  The insurance marketplace, the rating agencies and insurance regulatory bodies all insist that the insurer holds a high buffer for this purpose.

In addition, many valuable insights into the insurance business can be gained from careful analysis of the data that is input to the provisioning process for both levels of provisioning.

However, reserves are most often set to be consistent with considerations.  Swings of adequate and inadequate pricing is tightly linked to swings in reserves.  When reserves are optimistically set capital levels may reflect same bias. This means that inadequate prices can ripple through to cause deferred recognition of actual claims costs as well as under provisioning at both levels.  This is more evidence that consideration is key to risk management.

There is often pressure for small and smooth changes to reserves and risk capital but information flows and analysis provide jumps in insights both as to expectations for emerging losses as well as in terms of methodologies for estimation of reserves and capital.  The business pressures may threaten to overwhelm the best analysis efforts here.  The analytical team that prepares the reserves and capital estimates needs to be aware of and be prepared for this eventuality.  One good way to prepare for this is to make sure that management and the board are fully aware of the weaknesses of the modeling approach and so are more prepared for the inevitable model corrections.

Insurers need to have a validation process to make sure that the sum of reserves and capital is an amount that provides the degree of security that is sought.  Modelers must allow for variations in risk environment as well as the impact of risk profile, financial security and risk management systems of the insurer in considering the risk capital amount.  Changes in any of those elements may cause abrupt shifts in the amount of capital needed.

The Total Asset Requirement should be determined without regard to where the reserves have been set so that risk capital level does not double up on redundancy or implicitly affirm inadequacy of reserves.

The capital determined through the Provisioning process will usually be the key element to the Risk Portfolio process.  That means that accuracy in the sub totals within the models are just as important as the overall total.  The common practice of tolerating offsetting inadequacies in the models may totally distort company strategic decision making.

This is one of the seven ERM Principles for Insurers.

Does Anyone Care about Risk Appetite?

RISKVIEWS got a private comment on the Risk Portfolio post. The comment can be summed up by the title above.

And if you think about the insights about ERM from the Plural Rationality discussion, you might echo that question.

If your risk attitude is what we call MAXIMIZER, then you will believe that you should be able to accept as much adequately priced risk as you can find.

If your risk attitude is what we call CONSERVATOR, then you will believe that you should mostly accept only risks that are very similar to what you write already, to what you are comfortable with.  You might fear that setting an appetite would improperly encourage folks to take more risk even it it does not really fit that very stringent criteria.

If your risk attitude is what we call PRAGMATIST, then you will believe that it is a waste of time to set down a rule like that in advance.  How would you know what the opportunities will be in the future?  You might easily want to accept much more or much less.  You would think that it is a waste of time to worry about such an unknowable issue.

Only the companies that are driven by what we call the MANAGERS would embrace the risk appetite idea.  They would say that you must have a risk appetite for your ERM program to have any meaning.  Many regulators have the same MANAGER risk attitude.  They agree with the fundamental idea of ERM, with the idea that risk managers are needed to assist insurance company managers, to assess risks and to make sure that the insurer does not take too much risk.  The risk managers should also be able to help the top management of the company to select the corporate strategic balance, reflecting the best combination of risks to optimize the risk reward balance of the company.

And MANAGERS will do the best for the company when they manage the risks of the firm during times of moderate volatility.  Then their choices of risks will likely perform just as their models will predict.  However in times when opportunities are best, the MANAGERS will doubtless hold the company back from the sort of gains in profitable business that the MAXIMIERS will achieve in the companies that they run.  And in times when the red ink is running all over, the MANAGERS will urge insufficient caution and will see larger losses than their models would indicate.

In the sort of uncertain times that we have lived with for 5 years now, the MANAGER’s models will not be able to adequately point the way either.  Results will languish or bounce unexpectedly.

But it is just not true that nobody cares about Risk Appetite.

ERM Control Cycle

The seven principles of ERM for Insurers can be seen as forming an Enterprise Risk Control cycle.

The cycle starts with assessing and planning for risk taking.  That process may include the Diversification principle and/or the Portfolio principle.

Next to the steps of setting Considerations and Underwriting the risks.  These steps are sometimes operated together and sometimes separate, usually depending upon the degree to which the risks are  small and homogeneous or large and unique.

The Risk Control cycle is then applied to the risks that have been accepted.  That step is needed because even if a risk is properly priced and appropriately accepted, the insurer will want to manage the aggregate amount of such risks.  Within the risk control cycle, there is a risk mitigation step and within that step an insurer may choose to reduce their total risk or to increase their risk taking capacity.

Risks that have been accepted through the underwriting process and that the insurer is retaining after the risk control cycle process must be assessed for Provisioning, both for reserve and capital.

Finally, for this discussion of the ERM Cycle, the insurer needs to consider whether there are additional risks that have been unknowingly accepted that may emerge in the future.  The Future risk principle provides a path for that step.

For the ERM Cycle, there is actually no such thing as FINALLY.  As a cycle, it repeats infinitely.  The picture above has many two headed arrows in addition to the one way arrows that represent a single circular process.

The ERM idea sits in the middle of these seven principles.  The ERM idea is the idea that an insurer will follow a cycle like this for all of the risks of the insurer and in addition for the aggregation of all risks.  This will be done to protect all of the stakeholders of the insurers, policyholders, stockholders, bondholders, management, employees and communities to the greatest extent that their sometimes contradictory interests allow.

Most firms will put different degrees of emphasis on different elements.  Some will have very faint arrows between ERM and some of the other principles.  Some insurers will neglect some of these principles completely.

It may be that the choice of which principles to emphasize are tightly linked with their view of the risk environment.

This a part of the discussion of the seven ERM Principles for Insurers

Risk Portfolio Management

In 1952, Harry Markowitz wrote the article “Portfolio Selection” which became the seed for the theory called Modern Portfolio Theory. Modern Portfolio Theory (MPT) promises a path to follow to achieve the maximum return for a given level of risk for an investment portfolio.

It is not clear who first thought to apply the MPT ideas to a portfolio of risks in an insurer. In 1974, Gustav Hamilton of Sweden’s Statsforetag proposed the “risk management circle” to describe the interaction of all elements in the risk management process, including assessment, control, financing and communication. In 1979, Randell Brubaker wrote about “Profit Maximization for a multi line Property/Liability Company.” Since then, the idea of risk and reward optimization has become to many the actual definition of ERM.

Standard & Poor’s calls the process “Strategic Risk Management”.

“Strategic Risk Management is the Standard & Poor’s term for the part of ERM that focuses on both the risks and returns of the entire firm. Although other aspects of ERM mainly focus on limiting downside, SRM is the process that will produce the upside, which is where the real value added of ERM lies.“

The Risk Portfolio Management process is nothing more or less than looking at the expected reward and loss potential for each major profit making activity of an insurer and applying the Modern Portfolio Management ideas of portfolio optimization to that risk and reward information.

At the strategic level, insurers will leverage the risk and reward knowledge that comes from their years of experience in the insurance markets as well as from their enterprise risk management (ERM) systems to find the risks where their company’s ability to execute can produce better average risk-adjusted returns. They then seek to optimize the risk/reward mix of the entire portfolio of insurance and investment risks that they hold. There are two aspects of this optimization process. First is the identification of the opportunities of the insurer in terms of expected return for the amount of risk. The second aspect is the interdependence of the risks. A risk with low interdependency with other risks may produce a better portfolio result than another risk with a higher stand alone return on risk but higher interdependence.

Proposals to grow or shrink parts of the business and choices to offset or transfer different major portions of the total risk positions can be viewed in terms of risk-adjusted return. This can be done as part of a capital budgeting/strategic resource allocation exercise and can be incorporated into regular decision-making. Some firms bring this approach into consideration only for major ad hoc decisions on acquisitions or divestitures and some use it all the time.

There are several common activities that may support the macro- level risk exploitation.

Economic Capital
Economic capital (EC) flows from the Provisioning principle. EC is often calculated with a comprehensive risk model consistently for all of the actual risks of the company. Adjustments are made for the imperfect correlation of the risks. Identification of the highest-concentration risks as well as the risks with lower correlation to the highest-concentration risks is risk information that can be exploited. Insurers may find that they have an advantage when adding risks to those areas with lower correlation to their largest risks if they have the expertise to manage those risks as well as they manage their largest risks.

Risk-adjusted product pricing
Another part of the process to manage risk portfolio risk reward involves the Consideration principle. Product pricing is “risk-adjusted” using one of several methods. One such method is to look at expected profits as a percentage of EC resulting in an expected return-to-risk capital ratio. Another method reflects the cost of capital associated with the economic capital of the product as well as volatility of expected income. The cost of capital is determined as the difference between the price to obtain capital and the rate of investment earnings on capital held by the insurer. Product profit projections then will show the pure profit as well as the return for risk of the product. Risk-adjusted value added is another way of approaching risk-adjusted pricing.

Capital budgeting
The capital needed to fulfill proposed business plans is projected based on the economic capital associated with the plans. Acceptance of strategic plans includes consideration of these capital needs and the returns associated with the capital that will be used. Risk exploitation as described above is one of the ways to optimize the use of capital over the planning period. The allocation of risk capital is a key step in this process.

Risk-adjusted performance measurement (RAPM)
Financial results of business plans are measured on a risk-adjusted basis. This includes recognition of the cost of holding the economic capital that is necessary to support each business as reflected in risk-adjusted pricing as well as the risk premiums and loss reserves for multi-period risks such as credit losses or casualty coverages. This should tie directly to the expectations of risk- adjusted profits that are used for product pricing and capital budgeting. Product pricing and capital budgeting form the expectations of performance. Risk-adjusted performance measurement means actually creating a system that reports on the degree to which those expectations are or are not met.

For non-life insurers, Risk Portfolio Management involves making strategic trade-offs between insurance, credit (on reinsurance ceded) and all aspects of investment risk based on a long-term view of risk-adjusted return for all of their choices.

Insurers that do not practice Portfolio Risk Management usually fail to do so because they do not have a common measurement basis across all of their risks. The recent move of many insurers to develop economic capital models provides a powerful tool that can be used as the common risk measure for this process. Economic capital is most often the metric used to define risk in the risk/reward equation of insurers.

Some insurers choose not to develop an EC model and instead rely upon rating agency or regulatory capital formulas. The regulatory and rating agency capital formulas are by their nature broad market estimates of the risk capital of the insurer. These formulae will over-state the capital needs for some of the insurer’s activity and understate the needs for others. The insurer has the specific data about their own risks and can do a better job of assessing their risks than any outsider could ever do. In some cases, insurers took high amounts of catastrophe exposure or embedded guarantee and option risks, which were not penalized in the generic capital formulas. In the end, some insurers found that they had taken much more risk than their actual loss tolerance or capacity.

Risk Portfolio management provides insurers with the framework to take full advantage of the power of diversification in their risk selection. They will look at their insurance and investment choices based on the impact, after diversification, on their total risk/reward profile. These insurers will also react to the cycles in risk premium that exist for all of their different insurance risks and for all of their investment risks in the context of their total portfolio.

Sales of most insurance company products result in an increase in the amount of capital needed by the business due to low or negative initial profits and the need to support the new business with Economic Capital. After the year of issue, most insurance company products will show annual releases of capital both due to the earnings of the product as well as the release of supporting capital that is no longer needed due to terminations of prior coverages. The net capital needs of a business arise when growth (new sales less terminations) is high and/or profits are low and capital is released when growth is low and/or profits are high.

The definition of the capital needs for a product is the same as the definition of distributable earnings for an entire business: projected earnings less the increase in Economic Capital. The capital budgeting process will then focus on obtaining the right mix of short and long term returns for the capital that is needed for each set of business plans.

Both new and existing products can be subjected to this capital budgeting discipline. A forecast of capital usage by a new product can be developed and used as a factor in deciding which of several new products to develop. In considering new and existing products, capital budgeting may involve examining historic and projected financial returns.

Pitfalls of Risk Portfolio Management

In theory, optimization processes can be shown to produce the best results for practitioners. And for periods of time when fluctuations of experience are moderate and fall comfortably within the model parameters, continual fine tuning and higher reliance on the modeled optimization recommendations produce ever growing rewards for the expert practitioner. However, model errors and uncertainties are magnified when management relies upon the risk model to lever up the business. And at some point, the user of complex risk models will see that levering up their business seems to be a safe and profitable way to operate. When volatility shifts into a less predictable and/or higher level, the highly levered company can find it self quickly in major trouble.

Even without major deviations of experience, the Risk Portfolio Management principles can lead to major business disruptions. When an insurer makes a major change in its risk profile through an acquisition or divestiture of a large part of their business, the capital allocation of all other activities may shift drastically. Strict adherence to theory can whipsaw businesses as the insurer makes large changes in business.

Insurers need to be careful to use the risk model information to inform strategic decisions without overreliance and abdication of management judgment. Management should also push usage of risk and reward thinking throughout the organization. The one assumption that seems to cause the most trouble is correlation. The saying goes that “in a crisis, all correlations go to one”. If the justification for a major strategic decision is that correlations are far from one, management should take note of the above saying and prepare accordingly. In addition management should study the variability of correlations over time. They will find that correlations are often highly unreliable and this should have a major impact on the way that they are used in the Risk Portfolio Management process.

Risk Portfolio Management is one of the Seven ERM Principles for Insurers